Conducting a HIPAA Risk Assessment

Conducting a HIPAA Risk Assessment

The core of any effective HIPAA compliance program is the development of a risk assessment and management process (45 C.F.R. § 164.308(a)(1)(ii)(A)&(B)). Risk assessment is the process of identifying, estimating, and prioritizing information related to organizational risks (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, Section 2.3, September 2012). There is no single method to perform risk assessment; however, the effective risk assessment and management process should include at least the following steps: inventory, flow, scope, threats/vulnerabilities, likelihood, impact, risk, and response.

Inventory

For HIPAA compliance, the inventory should focus on identification of all of the locations where protected health information (PHI) is stored or transmitted. This usually begins with the servers that store the electronic medical record or practice management software, and should expand to include all other ancillary storage of protected health information, such as email systems, Microsoft Office, back-up drives, or laptop computers.

Flow

The risk assessment should next diagram the flow of information through the organization. For HIPAA compliance, this flow should track the movement of PHI in and out of the organization.

Scope

Not every risk assessment must be comprehensive. For example, a risk assessment may focus on HIPAA implications related to the implementation of an electronic medical record. Where the risk assessment is narrower in scope, the scope of the assessment to be performed should be clearly defined and communicated in the documentation.

Threats/Vulnerabilities

After information and assets have been inventoried, data flow has been mapped, and scope has been defined, the risk assessment should identify potential threats and vulnerabilities relevant to the organization.

A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A vulnerability is a flaw or weakness in system procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a breach or a violation (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, Section 2.3.1, September 2012).

To determine potential threats and vulnerabilities, the organization can consider information such as transmittals, alerts, or relevant guidance from regulatory agencies or payers; recent audit results or compliance investigations; coding or regulatory changes; and other industry guidance. The more specific the organization is in identifying threats and vulnerabilities, the more specific the risk assessment will be.

Risk

The end product of any risk assessment is the determination of the level of risk associated with each threat and vulnerability and the overall risk for the organization. A risk is the extent to which the organization is threatened by a particular event considering:

  1. the probability that a particular threat will exercise a particular vulnerability, and
  2. the resulting impact if this should occur.

There are different methodologies to calculate the level of risk, and the organization should document the method used. For example, what factors were considered in determining the likelihood and probability? What matrix was used to convert the likelihood and probability combination into a risk?

Response

For each identified risk, the organization should document potential options evaluated for response, the option selected, the reason that option was determined to be appropriate, and the plan for implementation. This risk management plan can then be integrated into future assessments to evaluate the effectiveness of each response.

If implemented as a continual process within the organization, risk assessment and management can provide the structure necessary for the organization’s compliance program to constantly evolve and respond to industry changes.

dec-clearance-sale

Stacy Harper

Stacy Harper, JD, MHSA, CPC is healthcare attorney with Lathrop & Gage LLP. Stacy currently serves on the National Advisory Board and Legal Advisory Board for AAPC. She works with healthcare providers around the country to navigate regulatory requirements such as HIPAA, data privacy and security, Stark, Anti-Kickback, state licence-sure, and Medicare conditions of payment and participation.

Latest posts by Stacy Harper (see all)

About Has 1 Posts

Stacy Harper, JD, MHSA, CPC is healthcare attorney with Lathrop & Gage LLP. Stacy currently serves on the National Advisory Board and Legal Advisory Board for AAPC. She works with healthcare providers around the country to navigate regulatory requirements such as HIPAA, data privacy and security, Stark, Anti-Kickback, state licence-sure, and Medicare conditions of payment and participation.

Leave a Reply

Your email address will not be published. Required fields are marked *